Identity-and-Access-Management-Architect Salesforce Certified Platform Identity and Access Management Architect (Plat-Arch-203) Questions and Answers

The Identity Only license is designed for users who need Salesforce Identity services without broad CRM object access. Salesforce documentation positions it for scenarios where employees or other internal users need to authenticate with Salesforce credentials and access connected applications, but they do not require the full set of standard Salesforce business objects. That makes it a good fit for benefits portals, employee hubs, or third-party workforce apps that rely on Salesforce for identity rather than for CRM usage. External Identity is aimed at external audiences such as customers or partners, while Identity Connect is synchronization software rather than an end-user license. The licensing decision follows the user population and the scope of application access more than the authentication protocol itself. This is why option A is the best answer in Salesforce terms.

When partner onboarding must prevent duplicate accounts across Salesforce and an external identity store, the safest design is to control registration in one orchestrated flow rather than allowing each system to create identities independently. A custom self-registration experience can validate whether the partner already exists, create the Salesforce partner records in the right account structure, and coordinate identity creation only once. This avoids the common duplication problem where the identity provider and Salesforce both accept separate registrations for the same business user. The architecture goal is not simply sign-in; it is controlled provisioning with deduplication. For that reason, a custom registration page or process that checks existing partners and then creates records in the right order is the strongest fit. This is why option A is the best answer in Salesforce terms.

For large-scale analysis of suspicious login behavior, the feature often referred to as login forensics or forensic login analysis depends on the deeper telemetry available through Salesforce Shield and related monitoring capabilities. The goal is to identify patterns such as average login volume, off-hours behavior, unusual spikes, and outlier users. Basic Login History shows individual events, but forensic analysis is about aggregating and investigating behavior at scale. That is why the organization needs the analytics-oriented login forensics capability rather than a simple list of logins. The architectural point is that fraud detection usually requires richer monitoring and analysis than the standard admin screens provide, especially in a 15,000-user environment. This is why option B is the best answer in Salesforce terms.

For a mobile-first external identity use case, Salesforce requires both the right base license and the right verification channel entitlement. External Identity licenses support authentication for external users such as consumers, while SMS verification credits support sending one-time verification codes to mobile phones for passwordless or verification-based login experiences. Email verification credits would address email delivery, not SMS-based verification. Identity Connect is unrelated because it is an AD synchronization product for workforce identity, not a CIAM licensing option. The architecture requirement here is straightforward: external users authenticate to Salesforce-backed digital experiences, and mobile number verification is part of the sign-in model. That combination points to External Identity plus SMS verification capacity. This is why options A, D work together as the correct solution.

When SAML sign-on fails during setup, the fastest Salesforce-native diagnostic tool is the SAML Validator. It breaks down the assertion and shows where validation fails, such as certificate issues, audience mismatches, subject formatting, missing attributes, or timestamp problems. That is much more useful than simply reviewing connected app settings or downloading metadata again, because the architect needs visibility into the actual assertion being posted to Salesforce. SAML integrations succeed or fail based on the signed XML and the trust configuration around it, so a validator that exposes the assertion details is the right troubleshooting instrument. In practice, this is the tool admins use to determine whether the issue sits in the identity provider output or in Salesforce configuration. This is why option A is the best answer in Salesforce terms.

When the external identity source supports only OAuth and there is no predefined provider type available in Salesforce, the architect should use a custom external authentication provider. Prebuilt OpenID Connect support assumes an OIDC-compliant provider, which is more specific than raw OAuth. Delegated authentication and certificate-based patterns solve different identity problems and are not meant to retrofit a nonstandard OAuth provider into Experience Cloud sign-in. The custom provider option exists precisely for this gap: it lets Salesforce participate in an authentication exchange with an external service that does not fit one of the standard built-in provider templates. In practice, this gives the architect control over how Salesforce obtains and interprets the external identity information. This is why option C is the best answer in Salesforce terms.

For fine-grained delegated access and long-lived sessions, the Authorization Code flow is the strongest mainstream OAuth choice. It supports user consent, server-side token exchange, and refresh-token issuance in the patterns Salesforce documents for confidential applications. Client Credentials is for app-to-app integration without a user context, and Implicit/User-Agent is less suitable for strong control and durable token management. Username-password is a special-case flow that trades off security and user experience. The reason this matters architecturally is that the authorization code pattern separates user authentication from token exchange and allows the client to keep secrets securely on the server side. That is why it remains the preferred model for robust delegated access to protected Salesforce resources. This is why option B is the best answer in Salesforce terms.

Identity Connect can synchronize several Salesforce security constructs from Active Directory-driven administration, particularly the identity and authorization artifacts attached to users. Profiles and permission sets are directly relevant because they define user capabilities in Salesforce. Roles also matter because they shape record access and hierarchy behavior. Public groups can participate in permission design and assignment patterns as well. By contrast, sharing rules and permission set licenses are not the core mapping focus in the same way. The main architectural takeaway is that Identity Connect is about translating directory-based user management into Salesforce access structures, especially those that determine who a user is, what they can do, and where they sit in the org’s access model. This is why options B, D, E work together as the correct solution.

Contactless users in Experience Cloud are tied to a narrower external identity model than full community users associated with contacts. That is the important architectural tradeoff. The feature can reduce overhead for certain external identity scenarios, but it also limits what license model and functionality are available. In practice, architects need to recognize that contactless users are associated with External Identity use cases rather than the richer Experience Cloud collaboration capabilities that depend on account-contact relationships. That is why the decision affects portal design, entitlement options, and downstream business processes. The right answer focuses on the license and capability limitation, not on speculative behavior about passwordless login or automatic contact creation during a later license change. This is why option C is the best answer in Salesforce terms.

If the organization wants users to sign in only through SSO and not by entering credentials at login.salesforce.com, two standard controls are used together. My Domain can be configured to prevent login from the generic Salesforce login page, forcing users onto the org-specific authentication entry point. In addition, the user can be marked as “Is Single Sign-On Enabled,” which prevents password-based Salesforce login for that user. Those two controls reinforce each other: one redirects the entry point, and the other removes the fallback credential path. Delegated authentication is not required just to enforce SSO, and simply enabling SSO never means Salesforce credentials stop working automatically. The architecture goal is to remove non-SSO login paths deliberately. This is why options A, D work together as the correct solution.

For real-time visibility into login events and other security-relevant user activity, Salesforce Event Monitoring is the purpose-built monitoring feature. Event Monitoring and Event Log Files give security and identity teams access to detailed telemetry about login behavior, session activity, API usage, and other actions that matter for threat detection and investigation. Profiles and encryption settings do not provide operational monitoring, and Data Loader is unrelated. The architectural distinction is between preventive controls and detective controls. Event Monitoring is a detective control: it helps the organization observe behavior, identify anomalies, and react quickly. When the requirement mentions unusual login patterns, security incidents, or real-time monitoring, Salesforce documentation points architects toward Event Monitoring rather than ordinary administrative setup screens. This is why option A is the best answer in Salesforce terms.

External Identity is the Salesforce license intended for business-to-consumer and other external audience identity scenarios. When the requirement is to provide single sign-on or authentication services for customers rather than internal employees, this is the licensing model architects evaluate first. Identity Only is typically used for internal workforce users who need identity services without broad CRM access, while partner licenses address collaboration models tied to partner accounts. The design driver here is audience type: the users are external consumers of a B2C-style application. Salesforce separates those audiences in licensing because the underlying access model, scale expectations, and Experience Cloud use cases differ from workforce identity. That is why External Identity is the appropriate license choice. This is why option C is the best answer in Salesforce terms.

For an Experience Cloud site that uses Salesforce as the identity provider, the supported login experiences are the standard page types intended for authentication. Salesforce supports a Login Discovery page, which helps identify the user and route them appropriately, and an Embedded Login page, which allows the login experience to be embedded into a branded front-end. These are purpose-built for sign-in scenarios. By contrast, a generic Experience Builder content page or a Lightning Experience page is not the same thing as a supported login page type for the site’s authentication flow. The important distinction in Salesforce documentation is between pages designed for site content and pages designed to participate directly in the authentication journey. This is why options A, C work together as the correct solution.

When customers can authenticate with multiple social identities but Salesforce must maintain only one user record per person, the logic belongs in the authentication provider and registration-handler pattern. Authentication providers handle the external trust with the social platforms, while a custom registration handler can locate an existing Salesforce identity, link the new social identity to it, and update profile details if the source data changes. Login flows are not the primary mechanism for social identity linking, and forcing the user through an extra selection page creates unnecessary friction. In Salesforce CIAM, the registration handler is the lifecycle control point: it decides whether to create, update, or link the user so the portal maintains a single consolidated identity per customer. This is why options B, C work together as the correct solution.

Salesforce supports dynamic branding for Experience Cloud login journeys through the Experience ID parameter. The Experience ID tells Salesforce which branded experience to render, allowing a single identity implementation to serve multiple brands or sub-brands without building separate authentication stacks. This is more scalable than asking users to pick a brand after arrival or inventing custom parameters and branding logic outside the standard experience framework. It also works cleanly with OAuth and SAML-based sign-in patterns, which is why it is commonly recommended in multi-brand CIAM designs. When the requirement is to reliably present the correct branded Salesforce experience during login, the Experience ID is the built-in mechanism intended for that routing and presentation layer. This is why option B is the best answer in Salesforce terms.

Dynamic branding in Experience Cloud relies on the Experience ID, sometimes carried as the expid parameter or equivalent placeholder in the URL, so Salesforce can render the right login experience for the selected brand. This is the scalable way to vary the look and feel without duplicating entire identity stacks. The community template choice can matter because not every template exposes branding capabilities the same way, but the central concept is still the Experience ID. External CMS tools are not required just to route the login experience by brand. From an architecture standpoint, this keeps the login framework centralized while letting the entry experience adapt to whichever brand, campaign, or sub-experience the user selected before authentication. This is why options B, D work together as the correct solution.

The OAuth 2.0 Device Flow is intended for devices that have limited input or display capabilities and therefore cannot easily support a standard browser-based login interaction. Instead of collecting full credentials on the device, the user completes authorization on a secondary device using a verification code and URL. That is why Salesforce recommends device flow for TVs, appliances, kiosks, and similarly constrained hardware. Asset Token Flow solves a different problem: it authorizes a registered asset or device to call Salesforce as a connected thing. Here the requirement is about registration and user authorization from a constrained device, so the device flow is the correct match. The design distinction is between human sign-in on limited hardware and secure machine identity for an asset. This is why option D is the best answer in Salesforce terms.

When a service provider needs to continue making calls back to Salesforce on behalf of the user after login, OpenID Connect is usually the more natural choice because it sits in the OAuth family and aligns well with token-based delegated access. SAML is excellent for browser-based federation, but it is not as naturally suited to modern API token usage after the interactive sign-in event. The question is not simply “which protocol is more secure.” It is about post-login application behavior. If the downstream application needs identity plus a token-friendly pattern for additional calls, that use case pushes the architect toward OIDC. In other words, the deciding factor is what the service provider must do after the initial authentication succeeds. This is why option B is the best answer in Salesforce terms.

For social sign-on into Experience Cloud, Salesforce relies on authentication providers to establish trust with each social identity source and on a registration handler to create or update the Salesforce user and related records. That pattern applies whether the provider is Facebook, LinkedIn, Twitter, or a standards-based OpenID Connect provider. Process Builder or Flow does not replace the registration handler in this identity handshake. The registration handler is where Salesforce decides how to map the incoming identity to an existing user, when to create a new one, and how to update profile information over time. From an architecture standpoint, authentication providers solve the external trust, and the registration handler solves the user lifecycle inside Salesforce. This is why options B, C work together as the correct solution.

The Identity Only license is designed for users who need Salesforce Identity services without broad CRM object access. Salesforce documentation positions it for scenarios where employees or other internal users need to authenticate with Salesforce credentials and access connected applications, but they do not require the full set of standard Salesforce business objects. That makes it a good fit for benefits portals, employee hubs, or third-party workforce apps that rely on Salesforce for identity rather than for CRM usage. External Identity is aimed at external audiences such as customers or partners, while Identity Connect is synchronization software rather than an end-user license. The licensing decision follows the user population and the scope of application access more than the authentication protocol itself. This is why option C is the best answer in Salesforce terms.

When a mobile application uses refresh tokens to preserve login state, the strongest control for forcing re-verification after inactivity is the refresh token policy. Salesforce lets administrators define when refresh tokens expire, including inactivity-based expiration. That is more aligned with the stated requirement than a generic session timeout, because the app renews access through the refresh token even after individual access tokens expire. Denying refresh_token scope would break the usability requirement, and manually maintaining permitted users would be operationally weak. The architecture question is about reauthentication after the device has been idle from an OAuth perspective. In Salesforce connected apps, that control sits with the refresh token policy, especially the “expire if not used for X days” style setting. This is why option D is the best answer in Salesforce terms.

When partners need a single login and some do business across multiple country operations, the lowest-customization answer is often to federate access across org boundaries with SAML rather than replicate identities manually in each org. A partner can maintain a primary login context and use federation to reach the additional orgs or communities they need. Consolidating everything into one org may not be feasible if country-based orgs already exist for operational reasons, while APIs and login flows create more custom work. The architectural point is that identity should be centralized even if application data remains distributed. SAML federation is built precisely for that: one user identity can be trusted across multiple Salesforce-based service providers without forcing separate sign-in credentials per country. This is why option A is the best answer in Salesforce terms.

Identity Connect can synchronize several Salesforce security constructs from Active Directory-driven administration, particularly the identity and authorization artifacts attached to users. Profiles and permission sets are directly relevant because they define user capabilities in Salesforce. Roles also matter because they shape record access and hierarchy behavior. Public groups can participate in permission design and assignment patterns as well. By contrast, sharing rules and permission set licenses are not the core mapping focus in the same way. The main architectural takeaway is that Identity Connect is about translating directory-based user management into Salesforce access structures, especially those that determine who a user is, what they can do, and where they sit in the org’s access model. This is why option D is the best answer in Salesforce terms.

When users must be allowed to launch an external service provider from Salesforce only if the organization has explicitly authorized them, the connected app should use the Admin Pre-Approved access policy. That setting moves app access out of end-user consent and into administrator control. Profiles or permission sets then determine exactly which users can use the app. This is the standard Salesforce pattern for governed OAuth access in enterprise environments. Assigning authentication providers to profiles or simply exposing the app to a community does not replace the approval and entitlement model of the connected app itself. The architectural point is that app access and user authorization should be centrally controlled, auditable, and limited to approved users. This is why options C, D work together as the correct solution.

Salesforce’s secure MFA guidance is based on two independent factors, not simply any second code that can be sent to the user. Strong MFA methods include possession-based authenticators and standards-compliant mechanisms such as security keys, approved authenticator apps, and trusted third-party SSO solutions that themselves enforce strong MFA. Lightning Login is also treated as a passwordless, device-based secure approach in the Salesforce ecosystem. By contrast, SMS and email verification do not meet Salesforce’s general MFA requirement for secure user-interface logins in the same way. The architecture point is that Salesforce distinguishes between convenience verifications and strong authentication factors. For compliance-driven MFA, architects should choose the methods Salesforce classifies as high-assurance. This is why options A, B, D work together as the correct solution.

Salesforce login flows are designed to interrupt the sign-in journey and collect information, present screens, or enforce conditions before the user reaches the destination app or site. In this case, the requirement is conditional and mandatory: users must accept updated rules and complete missing profile data before doing anything else. A login flow is stronger than a banner, task, or email campaign because it runs at authentication time and can branch based on user data. That makes it suitable for compliance-style steps such as terms acceptance, privacy notices, or profile completion. The architect can evaluate user fields, display the required screen only when needed, and block progress until the data and acknowledgment are captured. This is why option D is the best answer in Salesforce terms.

The AMR field in Salesforce Login History is meaningful only when the upstream identity provider includes authentication-method information in a way Salesforce can understand. Salesforce can surface AMR information from modern federation patterns, but the actual authentication methods must be asserted by the IdP. That is why architects need to think about protocol support and IdP implementation. The field is useful because it shows how the user authenticated upstream, for example whether MFA or another method was used. High-assurance session settings are related to policy enforcement, but they do not by themselves populate AMR. The key design point is that AMR is an observation of the IdP’s authentication methods, not an independent Salesforce-generated fact. This is why options A, C work together as the correct solution.

For a connected app to appear as a tile in the Salesforce App Launcher, two things generally matter: the app must be marked visible in the App Launcher, and the connected app configuration must include the required launch details such as the start URL or equivalent launch settings. High-assurance session requirements or OIDC scopes do not by themselves control whether the tile shows up. The absence of a launch target can keep the app from being presented meaningfully to users even when the connected app exists. From an architecture and administration perspective, discovery in the launcher depends on app-visibility settings plus a valid launch configuration. Without those, users can be entitled to the app and still not see it in the launcher. This is why options B, C work together as the correct solution.

Salesforce documents token introspection as the standards-based way to ask the authorization server about the current state of an OAuth token after it has been issued. That is exactly what this scenario requires: checking whether an OpenID Connect access token is still active, expired, or revoked. The discovery document only advertises endpoints and capabilities; it does not return runtime token status for a specific token. Likewise, enabling CORS on the token endpoint affects browser access patterns, not token validation, and creating a custom scope changes authorization boundaries rather than token-state lookup. In other words, when the requirement is “retrieve token status,” token introspection is the platform feature designed for that purpose. This is why option A is the best answer in Salesforce terms.